BLOG POST

  1. Blog Post

Heartbleed: 0-day Vulnerability in OpenSSL

by: Garrett Stiles In: News
Tags: Cyber Attack, 0-Day Vulnerability, Web Applications, OpenSSL
APR 08 2014
featured-image

Heartbleed-01 by EFF Photos is licensed under CC BY 2.0

A widespread and impactful 0-day vulnerability has been identified in current versions of OpenSSL that is utilized in most Linux and Unix based web servers that serve pages over SSL/TLS encryption

What is it?

This vulnerability (CVE-2014-0160) colloquially titled "Heartbleed" exploits a programmatic mistake in the versions of OpenSSL from 1.0.1 to 1.0.1f. Versions 1.0.0 and earlier are not vulnerable. This allows a buffer over-read of the webserver's memory culminating in private key compromise, credential compromise and cookie leakage.

What should I do?

here are a few options for validating that your site is vulnerable.

  1. The best option is to audit the version number of OpenSSL you are running on each webserver that is serving pages over SSL/TLS. Versions less than 1.0.1g are vulnerable.
  2. Another option is to plug your web URL into this site: http://filippo.io/Heartbleed/. NOTE: while this option is the quickest and least intrusive, it should be considered untrusted and potentially logging all vulnerable sites. Use this option only if you are comfortable with this possible scenario.
  3. Run a script against your URL with auditable code located here: https://gist.github.com/sh1n0b1/10100394. This is guaranteed not to be logging any results as the source code is there for review. This can also enable you to script checks of all sites to be audited.

I'm vulnerable, now what?

A new patched (non-vulnerable) version of OpenSSL is available: 1.0.1g. You will need to update to this version (Note: consult your distribution's package repository as this version number may vary based on security backporting, etc). Also, your private key associated with your SSL certificate could be compromised. A new certificate should be generated by your certificate authority and installed on your web server. If your private key is compromised any traffic encrypted with your current certificate could be decrypted, which negates all confidentiality and integrity of any message or data captured, thus completely defeating SSL/TLS.

For more information:

Official CVE listing: https://cve.mitre.org/cgi-bin/cvename.

OpenSSL's statement:http://www.openssl.org/news/secadv_20140407.txt

More info: http://heartbleed.com/

Search

CATEGORIES

FEEDS

RSS / Atom

GET IN TOUCH

Call us at (214) 556-6613 or   CONTACT US